Windows 2008 R2 Event Log

2008 R2 64bit

I am in the process of defining a GPO on the default Domain controllers policy and I had enabled the following for audits:
1) Audit Logon Events (S/F) = Success and Failure
2) Account Management
3) Directory Service Access
4) Policy Change

I used best practice from MS to set the Max size for application, security and systems to 4194240 kb.

Now moving to the Retain and Retention, can anyone guide me on what would be best definied. I want to have the event there at least up to 90 days.
Who is Participating?
I would select the option to overwrite events as needed.  The size you have set the log to (4GB) should be way more than sufficient to handle audits for 90 days.

If you set anything else, people will be prevented from loggingin if the log fills up and you don't clear it.
Kiran ChCommented:
It would be a tricky answer. I would suggest you to plan for automatic archiving of eventlogs after certain number of days.

Also there is another thread going on a similar topic. You can read it as well.
shorisAuthor Commented:
Thank you. So since I set it at 4gb and appled the retention override as needed, does that mean that if the log fills to 4gb then the retention will kick in and clear it. This way I don't have to clear it myself or risk of logs filled before any user can't login.
It will not clear the entire log.  It will "roll" the log, which means when you reach the 4GB mark, it will continue logging by replacing the oldest entry in the log first.  So if you write 5 entries, the oldest 5 entries will be lost.  Thereby we maintain the 4GB file size and still continue logging.
shorisAuthor Commented:
Thankyou so much for the explaination. Excellent. that works out.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.